{"description": "Enterprise techniques used by WastedLocker, ATT&CK software S0612 (v1.1)", "name": "WastedLocker (S0612)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1548", "showSubtechniques": true}, {"techniqueID": "T1548.002", "comment": "[WastedLocker](https://attack.mitre.org/software/S0612) can perform a UAC bypass if it is not executed with administrator rights or if the infected host runs Windows Vista or later.(Citation: NCC Group WastedLocker June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[WastedLocker](https://attack.mitre.org/software/S0612) has used [cmd](https://attack.mitre.org/software/S0106) to execute commands on the system.(Citation: NCC Group WastedLocker June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.003", "comment": "[WastedLocker](https://attack.mitre.org/software/S0612) created and established a service that runs until the encryption process is complete.(Citation: NCC Group WastedLocker June 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1486", "comment": "[WastedLocker](https://attack.mitre.org/software/S0612) can encrypt data and leave a ransom note.(Citation: Symantec WastedLocker June 2020)(Citation: NCC Group WastedLocker June 2020)(Citation: Sentinel Labs WastedLocker July 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[WastedLocker](https://attack.mitre.org/software/S0612)'s custom cryptor, CryptOne, used an XOR based algorithm to decrypt the payload.(Citation: NCC Group WastedLocker June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[WastedLocker](https://attack.mitre.org/software/S0612) can enumerate files and directories just prior to encryption.(Citation: NCC Group WastedLocker June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1222", "showSubtechniques": true}, {"techniqueID": "T1222.001", "comment": "[WastedLocker](https://attack.mitre.org/software/S0612) has a command to take ownership of a file and reset the ACL permissions using the takeown.exe /F filepath command.(Citation: NCC Group WastedLocker June 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.001", "comment": "[WastedLocker](https://attack.mitre.org/software/S0612) has copied a random file from the Windows System32 folder to the %APPDATA% location under a different hidden filename.(Citation: NCC Group WastedLocker June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1564.004", "comment": "[WastedLocker](https://attack.mitre.org/software/S0612) has the ability to save and execute files as an alternate data stream (ADS).(Citation: Sentinel Labs WastedLocker July 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1574", "showSubtechniques": true}, {"techniqueID": "T1574.001", "comment": " [WastedLocker](https://attack.mitre.org/software/S0612) has performed DLL hijacking before execution.(Citation: NCC Group WastedLocker June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1490", "comment": "[WastedLocker](https://attack.mitre.org/software/S0612) can delete shadow volumes.(Citation: Symantec WastedLocker June 2020)(Citation: NCC Group WastedLocker June 2020)(Citation: Sentinel Labs WastedLocker July 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1112", "comment": "[WastedLocker](https://attack.mitre.org/software/S0612) can modify registry values within the Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap registry key.(Citation: NCC Group WastedLocker June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[WastedLocker](https://attack.mitre.org/software/S0612)'s custom crypter, CryptOne, leveraged the VirtualAlloc() API function to help execute the payload.(Citation: NCC Group WastedLocker June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1135", "comment": "[WastedLocker](https://attack.mitre.org/software/S0612) can identify network adjacent and accessible drives.(Citation: Sentinel Labs WastedLocker July 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "The [WastedLocker](https://attack.mitre.org/software/S0612) payload includes encrypted strings stored within the .bss section of the binary file.(Citation: NCC Group WastedLocker June 2020)   ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.016", "comment": "[WastedLocker](https://attack.mitre.org/software/S0612) contains junk code to increase its entropy and hide the actual code.(Citation: NCC Group WastedLocker June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1120", "comment": "[WastedLocker](https://attack.mitre.org/software/S0612) can enumerate removable drives prior to the encryption process.(Citation: Sentinel Labs WastedLocker July 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1012", "comment": "[WastedLocker](https://attack.mitre.org/software/S0612) checks for specific registry keys related to the UCOMIEnumConnections and IActiveScriptParseProcedure32 interfaces.(Citation: NCC Group WastedLocker June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1569", "showSubtechniques": true}, {"techniqueID": "T1569.002", "comment": "[WastedLocker](https://attack.mitre.org/software/S0612) can execute itself as a service.(Citation: NCC Group WastedLocker June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1497", "showSubtechniques": true}, {"techniqueID": "T1497.001", "comment": "[WastedLocker](https://attack.mitre.org/software/S0612) checked if UCOMIEnumConnections and IActiveScriptParseProcedure32 Registry keys were detected as part of its anti-analysis technique.(Citation: NCC Group WastedLocker June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by WastedLocker", "color": "#66b1ff"}]}